Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor

In June 2025, IBM X-Force researchers discovered China-aligned threat actor, Hive0154, spreading Pubload malware featuring lure documents and filenames targeting the Tibetan community. The Tibetan sovereignty dispute is often invoked by Chinese threat groups in their cyber operations, with the latest campaign coinciding with activities leading up to a major event for the Tibetan community, the Dalai Lama's 90th birthday.

Several lures observed feature the following topics related to the Tibetan community:

• The 9th World Parliamentarians' Convention on Tibet (WPCT), held from 06/02 - 06/04 in Tokyo, Japan.
• China’s education policy in the Tibet Autonomous Region (TAR). The topic is of high importance to the Tibetan community, and cultural assimilation in Tibet has been noted by Human Rights Watch in its report. 
• The March 2025 book Voice for the Voiceless, published by the Tibetan leader-in-exile, the Dalai Lama. The book discusses the Dalai Lama's dialogue with Chinese leaders regarding the independence of Tibet.

• China-aligned threat actor Hive0154 has spread numerous phishing lures in targeted campaigns throughout 2025 to deploy the Pubload backdoor
• Hive0154 devises filenames referencing various geopolitical topics tailored to elicit increased interest from the targeted recipients
• As of May 2025, X-Force noticed an increased focus on topics tailored to target the Tibetan community
• The phishing campaigns reference the 9th World Parliamentarians' Convention on Tibet (WPCT) held in Tokyo in June, China’s education policy in the Tibet Autonomous Region (TAR) and the 2025 book Voice for the Voiceless by the Dalai Lama

Hive0154 is a well-established China-aligned threat actor with a large malware arsenal, consistent techniques and well-documented activity over the past several years. The group consists of multiple subclusters and engages in cyberattacks targeting public and private organizations, including think tanks, policy groups, government agencies and individuals. X-Force's observation of the group's use of multiple custom malware loaders, backdoors and USB worm families showcases their advanced capabilities. Hive0154 activity overlaps with threat actors publicly reported as Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon, Polaris and Earth Preta.

X-Force previously detailed extensive activity attributed to a subcluster of Hive0154 targeting the US, Philippines, Pakistan and Taiwan in a suspected espionage campaign from late 2024 to early 2025. The group makes use of weaponized archives originating from spear phishing emails to target entities including the Philippines', the United States' and Pakistan's government, military and diplomatic personnel. The phishing emails, archives and malicious file names use references to various geopolitical topics tailored to their specific audience to elicit increased interest from the recipients. The emails commonly include Google Drive URLs that download weaponized ZIP or RAR archives if the recipient clicks on the link.

The archives contain a benign executable vulnerable to DLL sideloading and a malicious Claimloader DLL. The executables are typically renamed to trick victims into opening them, which would immediately trigger the infection chain. The Claimloader malware establishes persistence, decrypts its embedded Pubload payload and injects it into memory. Pubload further downloads Pubshell, a light-weight backdoor facilitating immediate access to the machine via a reverse shell. 

At the time the campaign first began (May 21), the WPCT lure below was likely a reference to the upcoming convention held in Tokyo, Japan, from June 2 to June 4.

The convention is usually held in the U.S. or Europe, and was hosted in Japan for the first time. Overall, 142 parliamentarians and representatives from 29 countries were in attendance, including parliamentary members from Belgium and Japan. The Chinese embassy in Japan issued a strong denouncement over the Central Tibetan Administration's, also known as the Tibetan government-in-exile, involvement in the convention. The convention resulted in the Tokyo Declaration, condemning Chinese government repression in the Tibet region, and calling for international legislation to safeguard Tibetan cultural and religious freedom. X-Force researchers uncovered the Hive0154 campaign devising different lures pre- and post-convention.

After the convention, several declarations were issued, including Wise Action Plans on Tibet. Hive0154 likely copied it from the website and into a benign Microsoft Word document (DOCX) within a weaponized archive. The archive further contains articles directly copied from multiple Tibetan websites (here and here) in relation to the convention, as well as authentic photos from the convention. The presence of legitimate articles and photos among the weaponized executables sharing the same names is likely to trick victims into accidentally opening one of the EXE files and unknowingly triggering the infection.

"9th WPCT Region-Wise Action Plans on Tibet.exe": 

"Tibet in Focus as Global Lawmakers Convene in Tokyo.exe":

Photos from the convention used as lure: "9th WPCT Region-Wise Action Plans on Tibet(DSC01650.jpg).exe"

In another campaign, X-Force uncovered additional malicious Tibet-themed files. These files have names with topics that are of interest to the Tibetan community, such as bilingual education in Tibet or the title of a recently published book by the Dalai Lama. Choosing such topics was probably engineered to entice the recipients to be receptive and click the file. It is notable that the Tibetan-related samples were submitted from India, where the Tibetan government-in-exile currently operates, and this suggests that recipients of the files may have submitted them to VirusTotal. In a parallel campaign, X-Force discovered a file likely targeting the U.S. Navy, potentially discussing ongoing working group meetings between the U.S. Navy and other parties.

"སྐད་གཉིས་སློབ་གསོ་བསྒྱུར་བཅོས་སྙན་ཞུ/སྐད་གཉིས་སློབ་གསོ་བསྒྱུར་བཅོས་སྙན་ཞུ.exe" (translated Tibetan: Bilingual Education Reform Report/Bilingual Education Reform Report.exe): The topic is of high importance to the Tibetan community and cultural assimilation in Tibet has been noted by Human Rights Watch in its report.

"Voice for the Voiceless photos/Voice for the Voiceless photos.exe": This is a reference to a book published by the Tibetan leader-in-exile, the Dalai Lama, in March 2025. He writes about his dialogue with Chinese leaders regarding the independence of Tibet.

"DRC Mining, Strategic Minerals Development Policy/April 17/DRC Mining, Strategic Minerals Development Policy.exe": This file may be a reference to the Democratic Republic of Congo (DRC) mining deal with the U.S. and efforts to gain its support for such a deal after observing Ukraine reaching a similar deal with the U.S. As of June 2025, the DRC is about to finalize the deal with the U.S. in return for military and diplomatic assistance against M23 rebels who are being supported by neighboring Rwanda.

"(USPACFLT) Working_Group_Meeting/DF for After Activity Report on the conduct of 4th PN-United States Pacific Fleet (USPACFLT) Working Group Meeting (WGM).exe": This may be a reference to the U.S. Navy's Pacific Fleet and its outreach activities to Pacific Rim countries. The fleet provides naval forces to the U.S. Indo-Pacific Command and may be called upon in the event of a conflict in Taiwan.

Claimloader is a family of loaders that have evolved significantly over the past years. They contain an encrypted shellcode payload, which is decrypted and injected at runtime. Our previous blog provides more technical details on previous variants used by Hive0154.

On the first execution, Claimloader begins by creating a new mutex object to ensure only a single instance of Claimloader is running. It then moves itself and its processes' EXE used for DLL sideloading into a new directory under a new name, such as:

Next, Claimloader uses the API SHSetValueA() to establish persistence for the EXE via a registry key below:

This will cause the EXE to be executed every time the current user logs onto the machine. The process is executed with a predefined argument, such as "Licensing", which is used to invoke the main functionality of Claimloader.

On the second Claimloader execution with the specified argument, the latest Claimloader variant begins to decrypt an embedded payload via the TripleDES algorithm. This algorithm has only been observed in Claimloader variants starting late April 2025. The updated variants also use XOR-encrypted API names and native APIs LdrLoadDll() and LdrGetProcedureAddress() to resolve imports dynamically.

After sleeping for five seconds, Claimloader allocates a new executable buffer in memory and copies the shellcode payload into it. The malware sleeps for another 10 seconds and then calls the API's GetDC() and EnumFontsW(), which it uses to execute the payload in memory by passing its entry point as a callback function.

The Pubload shellcode payload has not undergone any updates since our last reporting. It contains a simple self-decrypting routine before executing its main functionality. Pubload is a simple backdoor capable of downloading encrypted shellcode payloads, which are injected into memory. One of the first payloads is the Pubshell module, which implements a reverse shell to facilitate immediate access to the infected machine.

Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles. X-Force assesses with high confidence that China-aligned groups like Hive0154 will continue to refine their large malware arsenal and target public and private organizations worldwide. Entities at risk of Hive0154 activity should remain at a heightened state of defensive security and remain vigilant with regard to the techniques mentioned in this report.

• Exercise caution with emails containing a Google Drive download link
• Exercise caution with downloaded archives, even if they do contain expected documents. Train staff to display and recognize unexpected file extensions.
• Monitor and hunt in networks for TLS 1.2 Application Data packets (header: 17 03 03) without a previous TLS handshake as a sign of a Pubload or Toneshell beacon
• Monitor and hunt for USB drives containing suspicious executable names, DLLs and hidden directories which could indicate a device infected with a USB worm
• Monitor and hunt for suspicious and unknown directories in C:\ProgramData\* which contain a legitimate EXE vulnerable to DLL sideloading and a corresponding DLL
• Monitor and hunt for persistence techniques in the registry and scheduled tasks
• Monitor any unusual network, persistence or file modification activity coming from seemingly benign process executables that sideload a malicious DLL

IBM X-Force Premier Threat Intelligence is now integrated with OpenCTI by Filigran, delivering actionable threat intelligence about this threat activity and more. Access insights on threat actors, malware, and industry risks. Install the X-Force OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM X-Force’s expertise. Get a 30-Day X-Force Premier Threat Intelligence trial today!